Malware Recovery: What to Do When Google Says You’ve Been Hacked

You are doing very well in your business, your website is always updated and you always have a good ranking when it comes to Google. However, one fine day all this comes down crashing. Your heart sinks when you see that the traffic on your website has gone down considerably and there are multiple malware warnings from Google. You don’t know what happened and how it happened and before you start assuming let us tell you, it’s not the website fault or an error committed by any employee. If there are warning from Google about malware on your website it is not an error and cannot be taken lightly. It is possible that a hacker may have accessed your website, uploaded the malicious code, and left. Yes, this may happen no matter how secure your website is.If your site is hacked it is not a good sign for business as your ranking gets affected considerably and also your visitors may get their computers infected. Well, this doesn’t sound good at all and this needs to be fixed on priority. But, before fixing any problem, you need to know the root cause of the problem. And you can get to the root only when you understand what has actually happened.

“Meaning of sight hack and the reasons behind it”

Before diving into any solution, you need to know what exactly is the problem and how did it happen. Today, 90% of the time a website is hacked for financial gain while the other 10% time it is done for fun. The hacker can be anyone; it can be your business competitor or an ex-employee with a grudge. It can also be a person who is just fooling around with you for fun. Today if see, there is a huge massive increase in scareware. This scareware is that type of malware that tricks everyone into buying software to cure the scareware. The majority of people think that the scareware is the real Microsoft virus scanner but in reality, it is the real culprit. In other words, the scanner is the malware acting as scareware. If we were to give a real-life example than let’s suppose, you intake cough syrup to cure your coughing, but the cough syrup itself is made of chemicals which is likely to damage your health eventually. So here in this example, when your hack signhealth deteriorates the cough syrup is the actual culprit and not your cough syrup. You cannot get fooled by a fake virus scanner just like you cannot get fooled by a harmful cough syrup.
Now coming back to your website malware can be done by a hacker if he is looking for some valuable information on internal networks or he could simply want to spread the malware to as many computers as possible with the sole purpose of extortion. When you want to understand what exactly a site hack is, trust us the answer is very simple. A person actually accessed and modified the code on your website without your permission. In most cases or let’s us say that about 99% of the time, a piece of JavaScript (JS) code being added to each index.html/php page. Once the hacker gets access to your website, he will inject the malicious JS code into your files. Now, this code can do a lot of things like redirect the user to a different page (usual spam), redirect the website’s PageRank (via links) to the hacker’s site or client’s site or in the worst scenario, the JS code could trigger “drive-by” downloading of the malware to infect the website’s visitors’ computers. Well, this seems not just bad but worse for everyone – your business, your users or clients, and even your staff.

“Determining the possible causes is important”

Now when you know what is a site hack and how it happens, you will need to determine the possible causes for the same. No matter how safe you feel your computer is or how best security you have, it’s better to face the truth that even top-notch security may fail to protect you. Every coin has two sides and there is always a back door when it comes to all web elements. This is especially true when you use a common Content Management System (CMS) like WordPress, Joomla, SimpleCMS, Magento, or other such open sources CMS. Remember, there is a strong possibility your site can be compromised with known SQL injections. Also, note also that the most common access point for a website malware hack is not the website, but the computers on which it was developed and accessed. If you are very particular about your software then assuming that all the softwares on your website are up to date, and all your updates/patches are working fine, you will often see when the user’s computers are infected. Now we need to understand how does this actually happen? A hacker first tries to hack your website but since it is secure he has to move out and he goes to a less secure site. The hacker accesses our website, accesses the website, installs malicious hacked script to enable “drive-by” downloads (the ability for the script to auto-install and run malware).When a user, who is a webmaster or has access to his website, visits the site. The JS autoloads and runs, then installs the malware copy on the visitor’s computers. Here you need to note that the visitor is a webmaster and once the webmaster visits the compromised computer, there are signs. He/she may see weird things like a quick flash on the screen or multiple hourglass icons when seemingly idle and also an increase in running tasks (on Windows) found in the task manager. Now, this is clear that the visitor’s or our webmaster’s computer is affected, but you might want to know how the malware makes it to the website? Well, we understand that it might be hard to believe that malware to reached your website. Your visitor has no clue that the computer has been infected and they resume working. As the user keeps working on the computer or just surfing around, the malware works in the background and scans for user login details. You might think that the malware would be looking for banking, Paypal or Facebook details but in reality it is actually looking for CoreFTP and FileZilla logins. You might not be aware that most common FTP programs store your passwords in PLAIN TEXT! Well, this means that once the malware finds the common directories and locations of stored passwords, it sends all them to the hacker. It’s like a spy who has been sent to investigate. Now, the hacker has access to your website, who will regenerate his malware and redistribute it on your website.
It seems like a nightmare but it indeed is a scary truth. Now that you know the root cause of the problem, you must start fixing it or should we say clean up the mess?

“Cleaning is the next step after determining detecting the problem”

Cleaning the malware is a difficult task. It is stressful and time-consuming. We advise you to seek professional help if you are not familiar with coding and you don’t know what is supposed to “look right” on your website. And if you are familiar and comfortable then here are some things that you should do.
The first step is cleaning. It’s like a thumb rule. If anything is spoilt you need to first clean it. If there is a storm and soil has blown with the wind through the windows of your houses, you pick up a mop and start cleaning. Similarly, when it comes to your system, you flush out the system clean all the viruses and malware before fixing up anything. If you try to fix it before cleaning up, there are chances for the entire cycle to be repeated which will cost you dearly as you will be catching up. Now, here we have a comprised list orderly of what should be done.

• Report the incident to your hosting provider and/or IT staff.
• Scan all the computers that have access to your website. ALL means ALL, there can’t be any exceptions no matter what.
• Run multiple scanning tools. We suggest Malware Bytes, SpyBot Search and Destroy, ComboFix, and Microsoft Security Essentials.
• Also, remember to update your virus scanner before all scans.
• Scan your startup directory. In Windows, go running>msconfig and scan each item.
• Through your Registry Editor (Windows), scroll through each “Run” entries to look for suspicious items.
• Change ALL passwords associated with your website, CMS admin sections, FTP, MySQL, control panels, without fail.
• Download all of your files from your website (for review and analyzing the hacked code).

Now if you have a backup for your website, it’s time to restore and if you do not have any, you could always ask the hosting company. But if you do not get the backup from there, do not panic. There is a manual way to remove these links. It is definitely not challenging but extremely time-consuming as a lot of research. The most logical thing to do would be to download your entire FTP and simply sort the files by the date they were modified. Obviously, the compromised files would have been accessed last. Typically it is mostly the index.php file that has been affected. When you scan the code, you want to look for weird encrypted JS on the very top or very bottom of the code and you will understand the issue immediately. Now if you plan to proceed with manual removal, all you need to do is review and edit every infected file with the code. Simply removing the code from the file and re-uploading will cure the problem. However, you need to make sure to double-check all files both by visually scanning, and then by sorting all of them by modified date — to ensure you captured all compromised files.Well the big part is over but the problem is not solved yet. If your website is hit with malware, which mostly would be you need to review your Google/Bing Webmaster Tools to verify that you fixed any problems Google/Bing found. This can be simply done by sending a response to a notification or a reconsideration request. The best thing is that Google is very good at restoring rankings once a problem is fixed. So, you need to wait for just 7-14 days for the completion of the process. Remember this can happen with anyone and everyone. However, as the saying goes prevention is better than cure. One should always be prepared and try to prevent such situations.

“Prevention is always better than cure”

If your website encounters malware, it could cost you and your business a lot as it would put your website offline for days if you’re lucky, or else it can even go on for weeks. However, you can always be prepared or better yet, prevent ourselves from becoming victims. If you run a CMS (such as Joomla or WordPress) on your website, there are some security measures that need to be taken care of, they are as follows:

• Keep your CMS updated;
• Always hide default login areas (such as /administrator or /wp-admin);
• Change default user’s names (most CMSes have “admin” as the default login, so try to change this to something a bit more personalized and secure);
• Ensure your hosting provider keeps their servers secure;
• Install and configure backup utilities.

There are multiple areas that need protection. But remember the malware attacks one’s personal computer. So apart from keeping your website secure, you also need to keep your personal computer secure, as do any co-workers or firms who have access to your website. Remember, everyone is responsible for keeping the website protected. Always make sure that all computers that are accessing your website via FTP are secure. Some basic steps that can be taken are as follows:

• Keep up with OS updates and patches.
• Keep all software updated and patched.
• Regularly scan your computer with the aforementioned software – and keep in mind that your anti-virus software is useless if you do not keep it updated.
• Do NOT save your passwords in your FTP programs.
• If you have multiple FTP users, assign different rights for different uses. Avoid giving all users access to the entire FTP root.